NIS2-ready: your supply chain secure and demonstrably compliant

We implement mandatory NIS2 measures - from board accountability to supply-chain checks - so you can connect with peace of mind.
Master the field

NIS2-ready: your supply chain secure and demonstrably compliant

2025.07.22 - NIS2-What-Demands

What does the NIS2 guideline call for?

  • Management responsibility: management remains ultimately responsible for cyber risks
  • Risk-based measures (Article 21): including access management, vulnerability patching, logging
  • Supply-chain risk assessment (article 22): mandatory insight into the supply chain
  • Incident reporting within 24 hrs (article 23): to CSIRT & customers
  • Standardization & certification (article 25): to ensure uniform requirements

Explanation: "essential" vs. "important" entities according to the NIS 2 guideline

Essential entity
Significant entity
When are you one? Large organizations in the 12 critical sectors (including energy, transportation, healthcare) and a few special service providers such as trust service providers Companies from the same sectors that do not fall below the threshold for "essential" but are still relevant to the economy or security
Supervision by authority Proactive and reactive: scheduled inspections, audits, security scans and ad hoc investigations Lighter, especially retrospective: only investigate when there are signs of noncompliance or incidents
Maximum fine for violation ≥ € 10 mln or 2% of world sales (whichever is higher) ≥ € 7 mln or 1.4% of world sales (whichever is higher)
Why this difference? They provide services that are "critical" to society and economy; thus stricter regime Still important, but lower systemic impact; balance risk and administrative burden
Essential entity Significant entity
When are you one? Large organizations in the 12 critical sectors (including energy, transportation, healthcare) and a few special service providers such as trust service providers Companies from the same sectors that do not fall below the threshold for "essential" but are still relevant to the economy or security
Supervision by authority Proactive and reactive: scheduled inspections, audits, security scans and ad hoc investigations Lighter, especially retrospective: only investigate when there are signs of noncompliance or incidents
Maximum fine for violation ≥ € 10 mln or 2% of world sales (whichever is higher) ≥ € 7 mln or 1.4% of world sales (whichever is higher)
Why this difference? They provide services that are "critical" to society and economy; thus stricter regime Still important, but lower systemic impact; balance risk and administrative burden
2025.07.22 - NIS2-Summary_V2

In a nutshell

Essential =most critical intense scrutiny & higher fines.
Important = in scope, but lighter scrutiny & lower fines.

Incontrol (Maxdoro) helps both types of customers by offering uniform NIS2 measures (incident reporting, supply-chain checks, cyber hygiene).

How Incontrol interprets this

Domain
Concrete approach
Relevant to whom?
Governance ISMS policy, Awareness/awareness policy & periodic management reporting. Management signs annual NIS2 (policy) statement. C-level, compliance officer
Technical & organizational measures ISO 27001 controls linked to Article 21, e.g..

- Multi-factor & strong passwords
- Malware protection and patch management
- Logging & monitoring 24/7
IT security, operations
Supply-chain security Supplier assessment, cloud service checklist and contract clauses according to Article 22 Procurement, vendor manager
Incident Response Processor agreements, CSIRT escalation plan, 24-hour notification & evidence assurance Privacy/security officer
Continuity Azure geo-replica + recovery plan Audit & risk
Domain Concrete approach Relevant to whom?
Governance ISMS policy, Awareness/awareness policy & periodic management reporting. Management signs annual NIS2 (policy) statement. C-level, compliance officer
Technical & organizational measures ISO 27001 controls linked to Article 21, e.g..

- Multi-factor & strong passwords
- Malware protection and patch management
- Logging & monitoring 24/7
IT security, operations
Supply-chain security Supplier assessment, cloud service checklist and contract clauses according to Article 22 Procurement, vendor manager
Incident Response Processor agreements, CSIRT escalation plan, 24-hour notification & evidence assurance Privacy/security officer
Continuity Azure geo-replica + recovery plan Audit & risk

Our Cyber Hygiene Pillars

Key points from our Cyberhygiene:

  1. Configuration management & zero-trust - only approved builds, change-management process
  2. Backups & geo-replica - 7 days point-in-time + weekly backups 5 weeks back
  3. Secure encryption (OWASP/SSDm) - mandatory in every sprint (zero-trust principle)
  4. Awareness - weekly security update in our MondayMorningMeeting

2025.07.22 - NIS2-Pillar-2

Frequently Asked Questions

We provide standard incident reports (should the need arise) that you can forward 1-to-1 to supervisor.

No, our standard configuration covers the baseline; additional requirements can always be discussed in consultation.

No, data remains in Azure data centers West & North-Europe (Netherlands/Ireland).

Download the list of subprocessors here (see NL/EN versions on Incontrol.app)

Yes, pen testing & BC testing can be coordinated and shared. Any costs are for you as the client.